WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 



Appln No. 09/626,699 
Docket No. 562492002620 



PCT 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification 7 
H04L 9/08, H04Q 7/38 



Al 



(11) International Publication Number: 
(43) International Publication Date: 



WO 00/25475 

4 May 2000 (04.05.00) 



(21) International Application Number: PCT/US99/24522 

(22) International Filing Date: 19 October 1999 (19.10.99) 



(30) Priority Data: 
09/178,192 



23 October 1998 (23.10.98) 



US 



(71) Applicant: QUALCOMM INCORPORATED [US/US]; 5775 

Morehouse Drive, San Diego, CA 92121-1714 (US). 

(72) Inventor: QUICK, Roy, Franklin, Jr.; 4502 Del Monte Avenue, 

San Diego, CA 92107 (US). 

(74) Agents: OGROD, Gregory, D. et at,; Qualcomm Incorporated, 
5775 Morehouse Drive, San Diego, C A 92121-1714 (US). 



(81) Designated States: AE, AL, AM, AT, AU, AZ, BA, BB, BG, 
BR, BY, CA, CH, CN, CR, CU, CZ, DE, DK, DM, EE, 
ES, FI, GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP ( 
KE, KG, KP, KR, KZ, LC, LK, LR ( LS, LT, LU, LV, MA, 
MD, MG, MK, MN, MW t MX, NO, NZ, PL, PT, RO, RU, 
SD, SE, SG, SI, SK, SL, TJ, TM, TO, TT, TZ, UA, UG, 
UZ, VN, YU, ZA, ZW, ARIPO patent (GH, GM, KE, LS, 
MW, SD, SL, SZ, TZ, UG, ZW), Eurasian patent (AM, AZ, 
BY, KG, KZ, MD, RU, TJ, TM), European patent (AT, BE, 
CH, CY, DE, DK, ES, FI, FR, GB ( GR, IE, IT, LU, MC, 
NL, PT, SE), OAP1 patent (BF, BJ, CF t CG, CI. CM, GA, 
GN, GW, ML, MR, NE, SN, TD, TG). 



Published 

With international search report. 

Before the expiration of the time limit, for amending the 
claims and to be republished in the event of the receipt of 
amendments. 



(54) Title: SUBSCRIPTION PORTABILITY FOR WIRELESS SYSTEMS 
(57) Abstract 



A short Personal Identification Number (PIN) is 
used to transfer a subscription for wireless service to a 
new wireless terminal (104), thereby providing enhanced 
personal mobility to the subscriber. The transfer is 
rendered secure by the exchange of Diffie-Hellman 
Encrypted Key Exchange (DH-EKE) messages (110, 
114). 
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SUBSCRIPTION PORTABILITY FOR WIRELESS SYSTEMS 



I. Technical Field 

This invention relates to wireless voice and data systems, and has 
particular relation to allowing a subscriber to move his subscription from 
one wireless terminal to another. The invention thus provides subscription 
portability, sometimes also called personal mobility. 

II. Background Art 

A wireless terminal (portable telephone, laptop computer, etc.) cannot 
be used as such unless its user has subscribed to a wireless communications 
service, so that the terminal may use that service to communicate with 
other terminals, both wireless and wireline. This in turn requires the 
service provider to register and provision that terminal, that is, to recognize 
that terminal as being entitled to service and to program the terminal with 
identification and security information that allows it to access the wireless 
service. 

In the wireless service industry the term "registration" has several 
meanings. Herein the term "registration" will be used to mean an exchange 
of the information needed to establish the identity of the user of a terminal 
and to permit access to wireless services. 

This registration may be required in two situations. First, when the 
terminal is originally purchased, it is not registered to anyone. This 
situation is referred to as initial provisioning. Second, a subscriber may 
choose to re-register, that is, to transfer his subscription from one wireless 
terminal to another. This re-registration might be, for example, from his 
portable telephone to his laptop computer, or from his regular portable 
telephone to the portable telephone which he has just rented on a trip to a 
distant city. This re-registration is referred to as subscription portability. 

In early wireless systems such as the analog Advanced Mobile Phone 
Systems (AMPS), provisioning is performed manually by trained personnel 
at a terminal distribution site. One of these employees manually registers 
the terminal with the service provider, typically over the land line 
telephone. The employee enters information into the terminal through the 
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keypad, using secret information which the service provider has made 
available to him/her, and storing the subscription information permanently 
in the terminal. This arrangement is expensive because the seller must 
have extensively trained employees at every retail outlet. Furthermore, the 
process is not secure, since the secret information is readily available to 
these employees. 

One alternative means for dealing with both initial provisioning and 
subscription portability is to provide to the user a separate, removable 
device known as a user identification module (UIM). The service provider 
provisions identity and security information into the UIM before 
distributing it to the user. When the user inserts the UIM into a terminal, 
the terminal reads the necessary identity information from the UIM and 
thereby acquires the identity of the user's subscription. This means is 
popular in the Global System for Mobiles (GSM) system. Registering the 
terminal after insertion of the UIM is an over-the-air process, and involves 
a three-way transfer of information between the module, a base station 
operated by the service provider (which has a unique identification 
number), and the wireless terminal itself (which has a unique Electronic 
Serial Number, or ESN). 

This first alternative means is still not entirely satisfactory. It requires 
an electronic interface between the module and the wireless terminal and 
this interface adds cost to the terminal. Further, the interface is open to 
contamination when the UIM is removed and inserted, and consequently 
may become unreliable with repeated use. 

A second alternative means deals with the initial provisioning but 
not with subscription portability. This second means requires that, when the 
subscriber , first buys a new telephone, the user dials a special number to 
reach a customer service representative who can determine the credit of the 
user and can then program the necessary subscription information into the 
terminal using over the air messages. 

This second alternative means is an improvement over the UIM 
means in that it requires no special interface in the terminal. This second 
means, however, is also not entirely satisfactory, because the service 
provider must still have highly skilled personnel in the customer service 
center to operate the over-the-air programming equipment. The expensive 
nature of the customer service process prohibits the subscriber from re- 
registering a telephone which a friend has loaned to him for a day or two. 

The purpose of this invention is to provide a method for initial 
provisioning and subscription portability that does not require skilled 
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personnel to complete the provisioning and registration process, nor a 
removable item that the user must physically insert into the terminal. 

The procedure described herein requires only that the subscriber enter 
his/her portable wireless subscription identifier, or user identifier 
(conventionally, his International Mobile User Identifier, or IMUI) and a 
password (conventionally, his Personal Identification Number, or PIN) into 
a wireless terminal. The password may be entered into the terminal in any 
convenient manner, such as keying a number into a keypad, speaking a 
phrase (with suitable voice recognition technology) into the microphone, or 
any other convenient manner. The wireless terminal is then able to contact 
the service provider using over-the-air signals, obtain necessary subscription 
information, and automatically reprogram itself - and reprogram the 
service provider - so that the service provider thereafter recognizes this 
wireless terminal as being registered to this subscriber. The password must 
be fairly short - typically four to six digits, as in bank card PINs - because the 
average subscriber cannot memorize a security code that is sufficiently long 
(twenty digits or more) to impede a brute-force attack. 

It is evident that the password must be protected from compromise 
during the registration process, otherwise the subscription information 
would be subject to cloning by fraudulent users who obtain the user 
identifier and password. Recent advances in cryptography, such as the work 
of Bellovin and Merritt, cited below, provide techniques for securely 
verifying that the terminal and wireless network both know the correct 
password without revealing the password. These techniques also provide 
means for establishing encryption keys that can be used in the encryption of 
subscription information exchanged subsequent to the initial password 
confirmation. The existence of these techniques makes it possible to support 
registration for initial provisioning and subscription portability without 
need for removable UIMs nor for customer service intervention. 

BRIEF DISCLOSURE OF THE INVENTION 

Applicant has developed a subscription which is truly portable from 
one wireless terminal to another, and which uses passwords which are both 
short and secure. 

Whenever a subscriber wishes to register a terminal to his 
subscription, he enters his user identifier (conventionally, his International 
Mobile User Identifier, or IMUI) and his password (conventionally, his 
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Personal Identification Number, or PIN) into the terminal. The terminal 
generates a public/private key pair and stores it. This key pair is preferably a 
Diffie-Hellman (D-H) key pair. It optionally concatenates the public key with 
a random number, and encrypts the (optionally concatenated) number with 
the password. Any convenient Secure Key Exchange (SKE) method may be 
used. Several suitable SKE methods are described in Thomas Wu, " The 
Secure Remote Passw ord Protocol. " Prnc. 199R Intprnpt Society Network and 
Distributed System Security Symposium, San Diego, CA, March 1998, pp. 97- 
111, http://jafar.stanford.edu/srp/ndss.html, and in David P. Jablon, " Strong 
Password-Only. Authenticated Key Exchange." of Integrity Sciences. Tnr.. of " 

Westboro. Massachusetts. USA. March 2, 1997, 

ht tp://world.std.com/~dpj/speke97.html. the disclosures of which are 
incorporated herein bv reference. The Diffie-Hellman Encrypted Key 
Exchange (DH-EKE) method of Bellovin and Merritt is particularly suitable, 
and the remaining description of the present invention is made with 
reference to DH-EKE. See Steven M. Bellovin and Michael Merritt, 
"Encrypted Key Exchange: Password-Based Protocols Secure Against 
Dictionary Attacks," in Proc. IEEE Computer Society Symposium on 
Research in Security and Privacy, pp. 72-84, May 1992, the disclosure of 
which is incorporated herein by reference. Either elliptic curve or 
exponential groups can be used with this method. The resulting encrypted 
message is called the DH-EKE message. 

The terminal then makes wireless contact with a local serving system 
and requests registration. This serving system may be the subscriber's home 
system, but often it is not. In any event, the terminal and the home system 
must be assured of each other's identities, whether there is no intermediate 
serving system, one system, or even several. The remainder of this 
description assumes one intermediate system, but is readily modified to 
handle none or several. That is, the terminal and the home system will 
always be the source and destination (or vice versa) of messages, regardless 
of how many intermediate systems (if any) they have to pass through. 

The terminal tells the serving system what the subscriber's home 
system is, by stating either the full user identifier or enough of the user 
identifier as is necessary to identify the home system. It also states the DH- 
EKE message. Preferably, the serving system first provides its D-H public key 
to the terminal, so that the specifics of who is requesting registration are not 
sent in the clear. Also preferably, the serving system opens a channel with 
the terminal to facilitate the registration process. 
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The serving system sends the DH-EKE message to the home system, 
which decrypts it with the password. The password is known only to the 
home system and the subscriber. The home system thereby recovers the 
subscriber's public key. The home system generates its own D-H 
public/private key pair and stores it. It then concatenates the newly 
generated public key with a random number, encrypts the concatenated 
number with the password using DH-EKE, and transmits this newly 
generated DH-EKE message back to the terminal. The terminal decrypts it 
with the password and recovers the home-system public key. 

The terminal and the home system are now each in possession of its 
own private key and the other's public key, both of which are far larger than 
the password. Each is thus able to generate a common session key using 
conventional methods. Each is further able to securely use the session key 
to download a virtual User Identification Module (VUIM) into the terminal, 
that is, to provide to the terminal, over the air, some or all of the 
information which otherwise would be obtained from a physical UIM 
(PUIM) being inserted into the terminal. 

Registration may now continue in the conventional fashion, as 
though a PUIM had been used. Alternatively, registration may be included 
within the downloading process. This is possible since a terminal with a 
VUIM already has something which a terminal with a PUIM does not 
acquire until later, namely, a communications link to (and a shared secret 
session key with) the home system. 

A strength of this method is that the public keys are temporary, and 
can be replaced on each subsequent registration. Further, each public key is 
essentially a random number, providing no indication whether an 
attempted decryption was or was not successful. An off-line dictionary attack 
therefore fails. The only thing that a dictionary attacker recovers is a 
collection of possible public keys, none of which has anything to distinguish 
it from any of the others. There is thus nothing to distinguish a correct 
guess of the password from an incorrect guess. The follow-on on-line attack 
must therefore still use the entire dictionary of passwords, and will 
therefore fail. 

This strength may also be viewed as the password being used as a. 
private key in a key exchange procedure, rather than as an encryption key 
per se. It is for this reason that the process is called Secure Key Exchange 
rather than Encrypted Key Exchange. It is not necessary that the terminal 
and home system exchange passwords nor session keys in encrypted form. 
What is important is that the home system be assured that the terminal 
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knows the password and has the common session key. It is also important 
that the password not be discoverable by eavesdroppers while the terminal 
is demonstrating its identity to the home system. If the password is not 
included in the message, even in encrypted form, then it is more difficult to 
be compromised. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 shows an exchange of DH-EKE messages. 
FIG. 2 shows an authentication procedure. 

DETAILED DESCRIPTION 

FIG. 1 shows an exchange 100 of DH-EKE messages. The user 102 
enters the user identifier and password into the wireless terminal 104. The 
terminal 104 generates a pair of Diffie-Hellman (D-H) private and public 
keys, and stores them. Optionally, the terminal 104 and the base station of 
the serving system 106 carry out a separate procedure to establish a local 
session encryption key SESS 108 to protect the user identifier from 
interception. The terminal 104 uses the password to encrypt the D-H public 
key, optionally concatenated with a random number before encryption, then 
transmits the user identifier (optionally encrypted under the local session 
key) and the encrypted public key, that is, a first DH-EKE message 110, to the 
base station of the serving system 106 in a registration request. This request 
should result in a dedicated channel assignment in order to complete the 
download procedure efficiently. 

The serving system 106 contacts the home system 112 requesting a 
subscription registration. The home system 112 decrypts the wireless 
terminal's public key using the password in the subscription record. The. 
home system then creates a private and public D-H key, from which a 
tentative session key is obtained using the terminal's public key and the 
home system's private key. The home system then encrypts its own public 
key, optionally concatenating a . random number before encryption, using 
the password stored in the subscription record and returns it in the form of a 
second DH-EKE message 114 to the wireless terminal 104 via the serving 
system 106. The wireless terminal 104 decrypts the home system's public key 
and creates (hopefully) the same tentative session key, using the home 
system's public key and its own private key. 
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FIG. 2 shows an authentication procedure 200 which must follow the 
DH-EKE exchange. The wireless terminal 104 and home system 112 carry 
out this procedure to prove that each have the same key. This 
authentication could be either unilateral (for example, only allowing the 
home system 112 to authenticate the wireless terminal 104) or bilateral. The 
bilateral technique has three steps. First, the wireless terminal 104 encrypts a 
random number C w and sends the encrypted number E(C W ) 202 to the home 
system 112. Second, the home system 112 generates its own random 
number C H , encrypts (C w , C H ) and sends the encrypted number E(C W , C H ) 204 
to the wireless terminal 104. Third, the wireless terminal 104 encrypts C H 
and sends the encrypted number E(C H ) 206 to the home system 112. A 
unilateral procedure could, for example, omit the first step, and replace C w 
in the second step by a second random number. 

The public keys were encrypted by the password, and the 
authentication consists of three different things being sent in an interlocked 
manner. Therefore, a man-in-the-middle attacker cannot cause a false 
acceptance of keys, and cannot know the mutual key without breaking the 
discrete logarithm or elliptic-curve group. Such breakage is currently 
considered infeasible if the group size is sufficiently large. 

If the home system 112 verifies the session key of the wireless 
terminal 104, it will transfer the subscription information - that is, all or 
part of a virtual UIM (VUIM) - to the serving system 106, in both encrypted 
form for over-the-air transmission and in unencrypted form for use by the 
serving system. The. session key - or, at least, a first portion of it - can also 
serve as an authentication key AUTH 116 for subsequent authentications of 
the terminal 104 in the serving system 106. This has advantages over the 
current cellular authentication procedures in that the authentication key is 
created at each registration, and therefore will change randomly from 
registration to registration. Typically the D-H exchange produces 512 bits of. 
output, which is more than are needed for authentication. As a result, the 
remainder of the session key, that is, a second portion of it, can serve as a 
conventional encryption key for subsequent control signal transmissions. 

The serving system 106 downloads the encrypted subscription data - 
the VUIM - to the terminal and makes a registration entry in the Visitor 
Location Register (VLR). The user is now ready to make calls. 

For subsequent system accesses, the user can be assigned a Temporary 
Mobile User Identifier (TMUI) as described in existing cellular standards. 
The generation of per-call encryption keys can be carried out using the 
authentication key using procedures described in existing cellular standards. 
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In other words, the airlink security procedures in existing cellular standards 
can be used without modification after the generation of the authentication 
key using the methods described here. 

5 Industrial Application 

My invention is capable of exploitation in industry, and can be made 
and used, whenever is it desired to register a wireless subscription in a new 
wireless terminal. The individual components of the apparatus and 
10 method shown herein, taken separate and apart from one another, may be 
entirely conventional, it being their combination which I claim as my 
invention. 

While I have described various modes of apparatus and method, the 
true spirit and scope of my invention are not limited thereto, but are limited 
15 only by the following claims and their equivalents, and I claim such as my 
invention. 
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1) A method for registering a wireless subscription to a wireless 
2 terminal, the method comprising the steps of: 

a) entering a user identifier) and a password) into the wireless 
4 terminal; 

b) at the wireless terminal: 

6 i) generating a public/private key pair; 

ii) using the password to encrypt the wireless terminal's 
8 public key according to a secure key exchange (SKE) 

protocol, thereby forming a first SKE message; and 
10 iii) transmitting the user identifier and the first SKE 

message to a home system; 
12 c) at the home system; 

i) generating a public/private key pair; 
14 ii) using the user identifier to determine the password; 

iii) using the password to encrypt the home system's public 
16 key according to an SKE protocol, thereby forming a 

second SKE message; 
18 iv) transmitting the second SKE message to the wireless 

terminal; 

20 v) using the password to decrypt the wireless terminal's 

public key; and 

22 vi ) using the home system's private key and the wireless 

terminal's public key to form a session key; 
24 d) at the wireless terminal: 

i) using the password to decrypt the home system's public 
2 6 key; and 

ii) using the wireless terminal's private key and the home 
28 system's public key to form the session key; and 

e) at both the wireless terminal and at the home system, using the 
30 session key todownload all or part of a Virtual User. 

Identification Module (VUIM) from the home system to the 
32 wireless terminal. 



2) 

2 



The method of Claim 1, further comprising the step of encrypting the 
user identifier before transmitting it. 
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The method of Claim 1, further comprising the step of opening a 
communications channel before transmitting, the second SKE 
message to the wireless terminal. 

The method of Claim 1, wherein the steps of transmitting the SKE 
messages from a source to a destination further comprise the steps of: 

a) transmitting the SKE messages from the source to an 
intermediate serving system; and 

b) transmitting the SKE messages from the intermediate serving 
system to the destination. 

The method of Claim 4, further comprising the steps of: 

a) using a first portion of the session key as an authentication key 
in subsequent authentications of the wireless terminal in the 
intermediate serving system; and 

b) using a second portion of the session key as an encryption key 
in subsequent control signal transmissions. 

The method of Claim 1, wherein: 

a) the public/private key pairs comprise Diffie-Hellman 
public /private key pairs; and 

b) the SKE messages comprise Diffie-Hellman Encrypted Key 
Exchange (DH-EKE) messages. 

The method of claim 1, wherein: 

a) the step of using the password to encrypt the wireless 
terminal's public key comprises the steps of: 

i) first concatenating the wireless terminal's public key 
with a first random number, thereby forming a first 
concatenated number; and 

ii) using the password to encrypt the first concatenated 
number; and 

b) the step of using the password to encrypt the home system's 
public key comprises the steps of: 

i) first concatenating the home system's public key with a 
second random number, thereby forming a second 
concatenated number; and 

ii) using the password to encrypt the second concatenated 
number. 
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8) Apparatus for registering a wireless subscription to a wireless 
2 terminal, the apparatus comprising: 

a) means for entering a user identifier and a password into the 
4 wireless terminal; 

b) at the wireless terminal: 

6 i) means for generating a public/private key pair; 

ii) means for using the password to encrypt the wireless 
8 terminal's public key according to a secure key exchange 

(SKE) protocol; thereby forming a first SKE message; and 
*0 iii) means for transmitting the user identifier and the first 

SKE message to a home system; 
12 c) at the home system: 

i) means for generating a public/private key pair; 
14 ii) means for using the user identifier to determine the 

password; 

!6 iii) means for using the password to encrypt the home 

system's public key according to an SKE protocol, thereby 
18 forming a second SKE message; 

iv) means for transmitting the second SKE message to the 
20 wireless terminal; 

v) means for using the password to decrypt the wireless 
22 terminal's public key; and 

vi) means for using the home system's private key and the 
24 wireless terminal's public key to form a session key; 

d) at the wireless terminal: 

26 i) means for using the password to decrypt the home 

system's public key; and 
28 ii) means for using the wireless terminal's private key and 

the home system's public key to form the session key; 
30 and 

e) at both the wireless terminal and at the home system, means 
32 for using the session key to download all or part of a Virtual 

User Identification Module (VUIM) from the home system to 
34 the wireless terminal. 



9) 

2 



The apparatus of Claim 8, further comprising means for encrypting 
the user identifier before transmitting it. 



00/25475 PCT/US99/24522 

12 

The apparatus of Claim 8, further comprising means for opening a 
communications channel before transmitting the second SKE 
message to the wireless terminal. 

The apparatus of Claim 8, wherein the means for transmitting the 
SKE messages from a source to a destination further comprises: 

a) means for transmitting the SKE messages from the source to an 
intermediate serving system; and 

b) means for transmitting the SKE messages from the 
intermediate serving system to the destination. 

The apparatus of Claim 11, further comprising: 

a) means for using a first portion of the session key as an 
authentication -key in subsequent authentications of the 
wireless terminal in the intermediate serving system; and 

b) means for using a second portion of the session key as an 
encryption key in subsequent control signal transmissions. 

The apparatus of Claim 8, wherein: 

a) the public/private key pairs comprise Diffie-Hellman 
public/private key pairs; and 

b) the SKE messages comprise Diffie-Hellman Encrypted Key 
Exchange (DH-EKE) messages. 

The apparatus of claim 8, wherein: 

a) the means for using the password to encrypt the wireless 
terminal's public key comprises: 

i) means for first concatenating the wireless terminal's 
public key with a first random number, thereby forming 
a first concatenated number; and 

ii) means for using the password to encrypt the first 
concatenated number; and 

b) the means for using the password to encrypt the home system's 
public key comprises: 

i) means for first concatenating the home system's public 
key with a second random number, thereby forming a 
second concatenated number; and 

ii) means for using the password to encrypt the second 
concatenated number. 
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15) A wireless terminal constructed to: 

a) receive a user identifier and a password into the wireless 
terminal; 

b) generate a public/private key pair; 

c) use the password to encrypt the wireless terminal's public key 
according to a secure key exchange (SKE) protocol, thereby 
forming an SKE message; 

d) transmit the user identifier and the SKE message to a home 
system; 

e) receive an encrypted public key from the home system; 

f) use the password to decrypt the encrypted public key from the 
home system; 

g) use the wireless terminal's private key and the home system's 
public key to form the session key; and 

h) use the session key to download all or part of a Virtual User 
Identification Module (VUIM) from the home system to the 
wireless terminal. 

16) The terminal of Claim 15, further comprising means for encrypting 
the user identifier before transmitting it. 

17) The terminal of Claim 15, further comprising means for opening a 
communications channel before transmitting the user identifier and 
the SKE message. 

18) The terminal of Claim 15, wherein a portion of the terminal 
constructed to transmit the SKE messages from a source to a 
destination further comprises: 

a) means for transmitting the SKE messages from the source to an 
intermediate serving system; and 

b) means for transmitting the SKE messages from the 
intermediate serving system to the destination. 



19) 



The terminal of Claim 18, wherein a portion of the terminal 
constructed to encrypt the terminal's public key comprises: 
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a) means for using a first portion of the session key as an 
authentication key in subsequent authentications of the 
wireless terminal in the intermediate serving system; and 

b) means for using a second portion of the session key as an 
encryption key in subsequent control signal transmissions. 

The terminal of Claim 15, wherein: 

a) the public/private key pairs comprise Diffie-Hellman 
public/private key pairs; and 

b) the SKE messages comprise Diffie-Hellman Encrypted Key 
Exchange (DH-EKE) messages. 

The terminal of claim 15, wherein: 

a) a portion of the terminal constructed to use the password to 
encrypt the wireless terminal's public key comprises: 

i) means for first concatenating the wireless terminal's 
public key with a first random number, thereby forming 
a first concatenated number; and 

ii) means for using the password to encrypt the first 
concatenated number; and 

b) a portion of the terminal constructed to use the password to 
encrypt the home system's public key comprises: 

i) means for first concatenating the home system's public 
key with a second random number, thereby forming a 
second concatenated number; and 

ii) means for using the password to encrypt the second 
concatenated number. 

A home system constructed to: 

a) generate a public/private key pair; 

b) receive a user identifier and an encrypted public key from a 
wireless terminal; 

c) use the user identifier to determine password; 

d) use the password to enc^pt the home system's public key 
according to a secure key exchange (SKE) protocol, thereby 
forming a SKE message; 

e) transmit the SKE message; 

0 use the password to decrypt the wireless terminal's public key; 
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g) use the home system's private key and the wireless terminal's 
public key to form a session key; and 

h) use the session key to download all or part of a Virtual User 
Identification Module (VUIM) from the home system to the 
wireless terminal. 

The system of Claim 22, further comprising means for opening a 
communications channel before receiving the user identifier. 

The system of Claim 22, wherein a portion of the system constructed 
to transmit the SKE messages from a source to a destination further 
comprises: 

a) means for transmitting the SKE messages from the source to an 
intermediate serving system; and 

b) means for transmitting the SKE messages from the 
intermediate serving system to the destination. 

The system of Claim 24, further comprising: 

a) means for using a first portion of the session key as an 
authentication key in subsequent authentications of the 
wireless terminal in the intermediate serving system; and 

b) means for using a second portion of the session key as an 
encryption key in subsequent control signal transmissions. 

The system of Claim 22, wherein: 

a) the public/private key pairs comprise Diffie-Hellman 
public/private key pairs; and 

b) the SKE messages comprise Diffie-Hellman Encrypted Key 
Exchange (DH-EKE) messages. 

The system of claim 22, wherein: 

a) a portion of the terminal constructed to use the password to 
encrypt the wireless terminal's public key comprises: 

i) means for first concatenating the wireless terminal's 
public key with a first random number, thereby forming 
a first concatenated number; and 

ii) means for using the password to encrypt the first 
concatenated number; and 
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b) a portion of the terminal constructed to use the password to 
encrypt the home system's public key comprises: 
i) means for first concatenating the home system's public 
12 key with, a second random number, thereby forming a 

second concatenated number; and 
14 ") means for using the password to encrypt the second 

concatenated number. 
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